Roundabouts and Cyber Security

Cybersecurity depends on something your technology cannot control

Most organizations have spent heavily on cybersecurity technology. Firewalls, endpoint protection, identity management, and monitoring tools. The investment is real, and the intent is serious.

Yet breaches keep happening — and a significant proportion trace back not to technical failure, but to human behavior. People clicking links they should not, bypassing controls under pressure, and assuming the system will catch what they missed.

A lesson from the roundabout

How we think about traffic safety determines how we actually behave.

Consider three ways of managing road safety: traffic lights, stop signs, and roundabouts. Each uses a different mechanism, and each produces a different outcome.

• Consider the stop signs at a 4-way intersection; behavior is driven by assumption. I stop; therefore, others will stop. I have stopped; therefore, it is safe to go. These assumptions are sometimes wrong, and the accident rates reflect that.

• Traffic lights transfer accountability to the technology. Green means go. Red means stop. Drivers follow the signal and largely stop thinking for themselves. The problem is that human behavior does not simply comply with infrastructure. People speed through amber and often sneak through a red. They rely on the lights to protect them, and when it does not, the consequences are often serious, if not fatal.

• Roundabouts work differently. Each driver takes personal responsibility for their own safety and for the safety of everyone else in the space. There is no signal to defer to. You must continuously assess the situation, make your own judgment, and act accordingly. The data consistently show that roundabouts produce lower accident and fatality rates than either of the other mechanisms.

The difference is not the engineering. It is the accountability framework, the rules of roundabouts, and how accountability ensures people think before they act.  

The same logic applies to cybersecurity

Technology sets the conditions. Culture determines how people behave.

Organizations have built impressive cybersecurity infrastructure. But much of it operates on the traffic light model: the system will catch it, the filter will block it, and the alert will fire. Employees are not expected to think; they are expected to follow the signals.

This creates a hidden vulnerability. When the signal is absent, delayed, or simply trusted too much, behavior reverts to previous default patterns.

Research consistently shows that human factors are present in the majority of cyber incidents. Phishing succeeds not because people are careless by nature, but because the conditions around them — stretch targets, time pressure, fragmented communication, weak escalation paths — make cybersafe behaviors harder to sustain. This is the domain of cyber security culture: the practical conditions that support people to act securely in their day-to-day work.

The question for any board or executive team is not simply whether the technology is adequate. It is whether the people operating around and alongside that technology have the ownership, clarity, and conditions to behave securely — even when no one is watching and even when it is inconvenient. 

What cybersecurity cultural risk looks like

The drivers of poor cyber behavior are often structural rather than attitudinal.

Organizations frequently diagnose cyber risk as an awareness problem. People need more training. They need closer management oversight. They need to be reminded. The assumption is that knowledge is the missing ingredient.

But in most cases, people already know what they are supposed to do. What they lack is a working environment that makes it realistic to do it.

The real causes of cybersecurity errors tend to include:

•       Stretch goals and time pressure that push secure behavior to the margins

•       Weak or unclear ownership over cyber responsibilities at the operational level

•       Poor escalation pathways that make reporting concerns slow or uncomfortable

•       Friction between security controls and workflow creates workarounds

•       Leadership signals that reward speed over caution

•       Fragmented communication, which means policy does not reach operational reality

These are not attitude problems. They are ecosystem cultural design problems. And they will not be solved by awareness campaigns alone. Identifying these causal factors and understanding which combination is active in a given situation makes it possible to operationalize meaningful change rather than a general intervention. 

The parallel in safety culture

The same structural failures appear across risk domains.

It is worth noting that this logic is not unique to cybersecurity. The same patterns appear in safety culture: organizations with strong safety records are not simply those with the most rigorous procedures or best equipment. They are the ones where people at every level feel genuinely accountable, where near misses get reported rather than buried, and where the conditions of daily work support rather than undermine safe behavior.

The failure modes are strikingly similar. Overreliance on procedure. Weak ownership at the front line. Escalation paths that feel risky to use. Leadership behaviors that send the wrong signal under pressure.

Whether the risk is a data breach or a physical incident, the underlying question is the same: do the people closest to the risk have the clarity, the ownership, and the practical conditions to act on it? Or are they deferring to a system that cannot protect them on its own?

How leaders build a strong cybersecurity culture

Leadership’s role is to test whether accountability is real, not assumed.

Most executive teams can answer questions about their technology stack. Fewer can answer questions about the cultural conditions surrounding it.

Useful questions to ask include:

• Where in the organization do people feel most exposed, and least able to act on it?

• What happens when a cyber concern is raised at the operational level? How quickly does it move, and who owns the response?

• Which parts of the business are under the most pressure, and how does that pressure interact with secure behavior?

• Do our security controls align with how people actually do their jobs, or go against them?

• What are our leading indicators telling us about behavioral risk, not just technical risk?

These questions do not have easy answers. But the organizations that are asking them and building the diagnostic capability to answer those questions are in a materially different position from those that are not.

Key topics covered in this article

•       Why technology alone cannot close the human element of cyber risk

•       How accountability structures shape security behavior .

•       The root causes of poor cybersecurity culture are often structural, not attitudinal

•       The relationship between operational pressure and security risk

•       Parallels between cyber security culture and safety culture

•       What boards and executives should be asking about cultural risk

•       Leading indicators of a stronger cybersecurity culture

•       How to prioritize behavioral change alongside technical controls

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organizations understand and improve the cultural drivers of performance, safety, and cyber resilience.

By combining deep research, operational experience, and advanced culture analytics, we help organizations close the gap between strategy and everyday behavior.

The PYXIS approach is effective:

• We treat culture as a systemic business issue, not an HR initiative.

• We identify key internal business practices that create performance and risk challenges and provide effective solutions you can immediately implement.

• We link organizational culture to business and financial metrics, showing a clear ROI for strengthening alignment and performance. 

Connecting the dots

If the questions above resonate with what your organization is facing, it may be worth exploring what a structured diagnosis of your cybersecurity culture would reveal. You can find out more about how PYXIS works on the PYXIS Culture Technologies website.

 About the Author

Christiane Wuillamie OBE is an advisor to senior leaders on cybersecurity culture and IT transformation. She has decades of experience advising boards and executive teams across Fortune 500 and FTSE 250 organizations. Christiane is a successful entrepreneur and business executive who founded a pioneering IT services company and grew it 100% year on year into a multimillion-pound enterprise, achieving a successful trade sale in 2001. Christiane’s passion is blending technology, agile tools, and cross-functional business processes with culture change to drive business transformation projects that deliver greater business agility, speed to market, and a

significant competitive advantage.

Where is the murky water in your organization right now? The places where incidents go unreported and new hires are swimming without cover? I'd welcome your thoughts in the comments. To see how Pyxis maps the hidden drivers of cybersecurity culture and turns them into measurable action, visit www.pyxisculture.com.

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organizations understand and improve the drivers of performance, safety, and cyber resilience.

By combining deep research, operational experience, and advanced culture analytics, we help organizations close the gap between strategy and everyday behavior.

Our approach is effective:

• We treat culture as a systemic business issue, not an HR initiative.

• We identify key internal business practices that create performance and risk challenges and provide effective solutions you can immediately implement.

• We link organizational culture to business and financial metrics, showing a clear ROI for strengthening alignment and performance.

Connecting the dots

See how PYXIS helps organizations identify the conditions that weaken secure behavior, encourage workarounds, and leave training carrying too much of the load.